0

shorewall_simple

在基于Debian/CentOS的发行版的简单环境中设置和配置Shorewall的ansible角色。(An ansible role to setup and configure a Shorewall in a simple environment under Debian/CentOS based distro's.)

Github repo
Main metrics
  • Owner: pdellaert/shorewall_simple
  • Platform: Linux
  • License:: BSD 4-Clause "Original" or "Old" License
  • Category::
  • Topic:
  • Like:
    0
      Compare:

Github stars Tracking Chart

shorewall_simple

警告:此角色使用起来很危险。 如果通过错误配置防火墙而丢失与目标主机的网络连接,则可能无法在没有对计算机进行物理访问的情况下进行恢复。

此角色为Shorewall安装和配置一个简单的单一网络接口(当然可以是绑定)服务器。

要求

此角色需要Ansible 1.4或更高版本,并且元数据文件中列出了平台要求。

角色变量

可以传递给此角色的变量以及有关它们的简要说明如下。 这些都基于Shorewall配置的配置变量。 

shorewall_enabled: "Yes"
shorewall_startup: 1
shorewall_wait_interface: "eth0"
shorewall_options: ""
shorewall_startoptions: ""
shorewall_restartoptions: ""
shorewall_initlog: "/var/log/shorewall_init.log"
shorewall_safestop: 0
shorewall_zones:
- zone: "fw"
  type: "firewall"
- zone: "net"
  type: "ipv4"
  options="-"
  options_in="strict"
  options_out="-"
shorewall_interfaces: 
- interface: "eth0"
  zone: "net"
  broadcast: "detect"
  options: "dhcp,tcpflags,nosmurfs,logmartians"
shorewall_policies:
- source: "$FW"
  destination: "net"
  policy: "ACCEPT"
- source: "net"
  destination: "$FW"
  policy: "ACCEPT"
- source: "all"
  destination: "all"
  policy: "DROP"
  log_level: "info"
  burst_limit: "10/second:100"
shorewall_rules:
- section: "NEW"
  rules:
  - action: "ACCEPT"
    source: "net"
    destination: "$FW"
    protocol: "tcp"
    destination_port: 22
    source_port: "-"
    original_destination: "-"
    rate_limit: "-"
    user_group: "-"
    mark: "-"
    connection_limit: "-"
    time: "-"
    headers: "-"
    switch: "-"

示例

  1. 允许所有流量进出的示例
    • hosts: all
      • roles:
        • role: shorewall_simple shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw" type: "firewall"
          • zone: "net" type: "ipv4" shorewall_interfaces:
          • interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
          • source: "all" destination: "all" policy: "ACCEPT"
  2. 允许所有传出流量但阻止传入流量并记录它的示例,但允许传入的SSH流量并接受Ping
    • hosts: all
      • roles:
        • role: shorewall_simple shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw" type: "firewall"
          • zone: "net" type: "ipv4" shorewall_interfaces:
          • interface: "eth0" zone: "net" broadcast: "detect" options: "dhcp,tcpflags,nosmurfs,logmartians" shorewall_policies:
          • source: "$FW" destination: "net" policy: "ACCEPT"
          • source: "net" destination: "$FW" policy: "DROP" log_level: "info"
          • source: "all" destination: "all" policy: "DROP" shorewall_rules:
          • section: "NEW" rules:
            • action: "Ping/ACCEPT" source: "net" destination: "$FW"
            • action: "ACCEPT" source: "net" destination: "$FW" protocol: "tcp" destination_port: 22

依赖关系

所有系统:

  • iptables

基于Red Hat的发行版:

  • EPEL

许可证

BSD

作者信息

Philippe Dellaert

Overview

Name With Ownerpdellaert/shorewall_simple
Primary Language
Program language (Language Count: 0)
PlatformLinux
License:BSD 4-Clause "Original" or "Old" License
Release Count0
Created At2013-12-21 21:49:16
Pushed At2016-05-20 20:40:36
Last Commit At2015-11-16 16:02:36
Stargazers Count9
Watchers Count3
Fork Count10
Commits Count3
Has Issues Enabled
Issues Count0
Issue Open Count0
Pull Requests Count1
Pull Requests Open Count0
Pull Requests Close Count1
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private

shorewall_simple

WARNING: This role can be dangerous to use. If you lose network connectivity
to your target host by incorrectly configuring your firewall, you may be
unable to recover without physical access to the machine.

This role installs and configures Shorewall for a simple, single network interface (can be a bond, of course) server.

Requirements

This role requires Ansible 1.4 or higher and platform requirements are listed
in the metadata file.

Role Variables

The variables that can be passed to this role and a brief description about
them are as follows. These are all based on the configuration variables of the
Shorewall configuration.

shorewall_enabled: "Yes"
shorewall_startup: 1
shorewall_wait_interface: "eth0"
shorewall_options: ""
shorewall_startoptions: ""
shorewall_restartoptions: ""
shorewall_initlog: "/var/log/shorewall_init.log"
shorewall_safestop: 0

shorewall_zones:
- zone: "fw"
  type: "firewall"
- zone: "net"
  type: "ipv4"
  options="-"
  options_in="strict"
  options_out="-"

shorewall_interfaces: 
- interface: "eth0"
  zone: "net"
  broadcast: "detect"
  options: "dhcp,tcpflags,nosmurfs,logmartians"

shorewall_policies:
- source: "$FW"
  destination: "net"
  policy: "ACCEPT"
- source: "net"
  destination: "$FW"
  policy: "ACCEPT"
- source: "all"
  destination: "all"
  policy: "DROP"
  log_level: "info"
  burst_limit: "10/second:100"

shorewall_rules:
- section: "NEW"
  rules:
  - action: "ACCEPT"
    source: "net"
    destination: "$FW"
    protocol: "tcp"
    destination_port: 22
    source_port: "-"
    original_destination: "-"
    rate_limit: "-"
    user_group: "-"
    mark: "-"
    connection_limit: "-"
    time: "-"
    headers: "-"
    switch: "-"

Examples

  1. Example allowing all traffic in and out

    • hosts: all
      • roles:
        • role: shorewall_simple
          shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw"
            type: "firewall"
          • zone: "net"
            type: "ipv4"
            shorewall_interfaces:
          • interface: "eth0"
            zone: "net"
            broadcast: "detect"
            options: "dhcp,tcpflags,nosmurfs,logmartians"
            shorewall_policies:
          • source: "all"
            destination: "all"
            policy: "ACCEPT"

  2. Example allowing all outgoing traffic but block incomming traffic and log
    it, but allow incomming SSH traffic and accept Ping

    • hosts: all
      • roles:
        • role: shorewall_simple
          shorewall_enabled: "Yes"
          shorewall_zones:
          • zone: "fw"
            type: "firewall"
          • zone: "net"
            type: "ipv4"
            shorewall_interfaces:
          • interface: "eth0"
            zone: "net"
            broadcast: "detect"
            options: "dhcp,tcpflags,nosmurfs,logmartians"
            shorewall_policies:
          • source: "$FW"
            destination: "net"
            policy: "ACCEPT"
          • source: "net"
            destination: "$FW"
            policy: "DROP"
            log_level: "info"
          • source: "all"
            destination: "all"
            policy: "DROP"
            shorewall_rules:
          • section: "NEW"
            rules:
            • action: "Ping/ACCEPT"
              source: "net"
              destination: "$FW"
            • action: "ACCEPT"
              source: "net"
              destination: "$FW"
              protocol: "tcp"
              destination_port: 22

Dependencies

All systems:

  • iptables

Red Hat based distributions:

  • EPEL

License

BSD

Author Information

Philippe Dellaert

To the top